From propositional to first-order monitoring 



Andreas Bauer 1,2 , Jan-Christoph Kiister 1 ' 2 , and Gil Vegliach 1 
1 NICTA* Software Systems Research Group, 2 Australian National University 

Abstract. The main purpose of this paper is to introduce a first-order temporal 
logic, LTL FO , and a corresponding monitor construction based on a new type of 
automaton, called spawning automaton. 

Specifically, we show that monitoring a specification in LTL FO boils down to an 
undecidable decision problem. The proof of this result revolves around specific 
ideas on what we consider a "proper" monitor. As these ideas are general, we out- 
line them first in the setting of standard LTL, before lifting them to the setting of 
first-order logic and LTL FO , Although due to the above result one cannot hope to 
obtain a complete monitor for LTL FO , we prove the soundness of our automata- 
based construction and give experimental results from an implementation. These 
seem to substantiate our hypothesis that the automata-based construction leads to 
efficient runtime monitors whose size does not grow with increasing trace lengths 
(as is often observed in similar approaches). However, we also discuss formulae 
for which growth is unavoidable, irrespective of the chosen monitoring approach. 

1 Introduction 

In the area of runtime verification (cf. [14, 13,9,6]), a monitor typically describes a 
device or program which is automatically generated from a formal specification cap- 
turing undesired (resp. desired) system behaviour. The monitor's task is to passively 
observe a running system in order to detect if the behavioural specification has been 
satisfied or violated by the observed system behaviour. While, arguably, the majority of 
runtime verification approaches are based on propositional logic, there exist works that 
also consider first-order logic (cf. [13,4,3]). Monitoring first-order specifications has 
also gained prior attention in the database community, especially in the context of so 
called temporal triggers, which correspond to first-order temporal logic specifications 
that are evaluated wrt. a linear sequence of database updates (cf. [7, 8, 19]). Although 
the underlying logics are generally undecidable, the monitors in these works usually 
address decidable problems, such as "is the observed behaviour so far a violation of a 
given specification ipV Additionally, in many approaches, ip must only ever be a safety 
or domain independent property for this problem to actually be decidable (cf. [7, 3]), 
which can be ensured by syntactic restrictions on the input formula, for example. 

As there exist many different ways in which a system can be monitored in this 
abstract sense, we are going to put forth very specific assumptions concerning the prop- 
erties and inner-workings of what we consider a "proper" monitor. None of these as- 
sumptions is particularly novel or complicated, but they help describe and distinguish 
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the task of a "proper" monitor from that of, say, a model checker, which can also be 
used to solve monitoring problems as we shall see. 

The two basic assumptions are easy to explain: Firstly, we demand that a monitor 
is what we call trace-length independent, meaning that its efficiency does not decline 
with an increasing number of observations. Secondly, we demand that a monitor is 
monotonic wrt. reporting violations (resp. satisfication) of a specification, meaning that 
once the monitor returns "SAT" to the user, additional observations do not lead to it 
returning "UNSAT" (and vice versa). We are going to postulate further assumptions, 
but these are mere consequences of the two basic ones, and are explained in §2. 

At the heart of this paper, however, is a custom first-order temporal logic, in the 
following referred to as LTL FO , which is undecidable. Yet we outline a sound, albeit 
incomplete, monitor construction for it based on a new type of automaton, called spawn- 
ing automaton. LTL FO was originally developed for the specification of runtime veri- 
fication properties of Android "Apps" and has already been used in that context (see 
[5] for details). Although [5] gave a monitoring algorithm for LTL FO based on formula 
rewriting, it turns out that the automata-based construction given in this paper leads to 
practically more efficient results. 

As our definition of what constitutes a "proper" monitor is not tied to a particular 
logic we will develop it first for standard LTL (§2), the quasi-standard in the area of run- 
time verification. In §3, we give a more detailed account of LTL FO than was available 
in [5], before we lift the results of §2 to the first-order setting (§4). The automata-based 
monitor construction for LTL FO along with experimental results is described in §5. Re- 
lated work is discussed in §6. Detailed proofs can be found in a separate appendix. 

2 Complexity of monitoring in the propositional case 

In what follows, we assume basic familiarity with LTL and topics like model checking 
(cf. [2] for an overview). Despite that, let us first state a formal LTL semantics, since 
we will consider its interpretation on infinite and finite traces. For that purpose, let AP 
denote a set of propositions, LTL(AP) the set of well-formed LTL formulae over that 
set, and for some set X set X°° — X u U X* to be the union of the set of all infinite 
and finite traces over X. When AP is clear from the context, or does not matter, we use 
LTL instead of LTL(AP). Also, for a given trace w = w wi . . ., the trace w l is defined 
as WiWi + i .... As a convention we use u, v! , . . . to denote finite traces, by a the trace 
of length 1, and w for infinite ones or where the distinction is of no relevance. 

Definition 1. Let p e LTL(AP), w e (2 AP )°° be a non-empty trace, and i e No, then 

w * 1= P iff P € Wi, where p e AP, 
w l \= -up iff w % \= tp does not hold, 
w % |= ip A ip iff w l |= tp and to' |= ip, 

w l \= Xtp iff \w\ > i and w l+1 \= tp, 
w l f= tpUip iff there is a k s.t. i < k < \w\, w k \= ip, and for all i < j < k, |= tp. 

And if w° \= tp holds, we usually write w \= tp instead. Although this semantics, which 
was also proposed in [17], gives rise to mixed languages, i.e., languages consisting of 
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finite and infinite traces, we shall only ever be concerning ourselves with either finite- 
trace or infinite-trace languages, but not mixed ones. It is easy to see that over infinite 
traces this semantics matches the definition of standard LTL. Recall, LTL is a decidable 
logic; in fact, the satisfiability problem for LTL is known to be PSpace-complete [18]. 

As there are no commonly accepted rules for what qualifies as a monitor (not even 
in the runtime verification community), there exist a myriad of different approaches 
to checking that an observed behaviour satisfies (resp. violates) a formal specification, 
such as an LTL formula. Some of these (cf. [14,4]) consist in solving the word prob- 
lem (see Definition 2). A monitor following this idea can either first record the entire 
system behaviour in form of a trace u e S + , where S is a finite alphabet of events, or 
process the events incrementally as they are emitted by the system under scrutiny. Both 
approaches are documented in the literature (cf. [14, 12, 13, 4]), but only the second one 
is suitable to detect property violations (resp. satisfaction) right when they occur. 

Definition 2. The word problem for LTL is defined as follows. 
Input: A formula ip e LTL(AP) and some trace u e (2 AP )+. 
Question: Does u \= ip hold? 

In [17] a bilinear algorithm for this problem was presented (an even more efficient 
solution was recently given in [15]). Hence, the first sort of monitor, which is really 
more of a test oracle than a monitor, solves a classical decision problem. The second 
monitor, however, solves an entirely different kind of problem, which cannot be stated 
in complexity-theoretical terms at all: its input is an LTL formula and a finite albeit 
unbounded trace which grows incrementally. This means that this monitor solves the 
word problem for each and every new event that is added to the trace at runtime. We 
can therefore say that the word problem acts as a lower bound on the complexity of the 
monitoring problem that such a monitor solves; or, in other words, the problem that the 
online monitor solves is at least as hard as the problem that the offline monitor solves. 

There are approaches to build efficient (i.e., trace-length independent) monitors 
that repeatedly answer the word problem (cf. [14]). However, such approaches vio- 
late our second basic assumption, mentioned in the introduction of this paper, in that 
they are necessarily non-monotonic. To see this, consider ip = a(Jb and some trace 
u = {a}{a} . . . {a} of length n. Using our finite-trace interpretation, u Y= <f- However, 
if we add u n+ \ = {&}, we get u ^ For the user, this essentially means that she 
cannot trust the verdict of the monitor as it may flip in the future, unless of course it is 
obvious from the start that, e.g., only safety properties are monitored and the monitor 
is built merely to detect violations, i.e., bad prefixes. However, if we take other moni- 
torable languages into account as we do in this paper, i.e., those that have either good 
or bad prefixes (or both), we need to distinguish between satisfaction and violation of a 
property (and want the monitor to report either occurrence truthfully). 

Definition 3. For any L C S", u e S* is called a good prefix (resp. bad prefix) iff 
uS" C L holds (resp. uS" n L = 0). 

1 Note that this effect is not particular to our choice of finite-trace interpretation. Had we used, 
e.g., what is known as the weak finite-trace semantics, discussed in [10], we would first have 
had u \= tp and if u n +i = 0, subsequently u ^= ip. 



3 



We shall use good(L) C S* (resp. bad(L)) to denote the set of good (resp. bad) 
prefixes of L. For brevity, we also write good(t^) instead of good(£(</?)), and do the 
same for bad(£(<^)). 

A monitor that detects good (resp. bad) prefixes has been termed anticipatory in [9] 
as it not only states something about the past, but also about the future: once a good 
(resp. bad) prefix has been detected, no matter how the system would evolve in an in- 
definite future, the property would remain satisfied (resp. violated). In that sense, antic- 
ipatory monitors are monotonic by definition. Moreover in [6], a construction is given, 
showing how to obtain trace-length independent (even optimal) anticipatory monitors 
for LTL and a timed extension called TLTL. The obtained monitor basically returns T 
to the user if u <G good(i^) holds, _L if u e h&d{ip) holds, and ? otherwise. Not surpris- 
ingly though, the monitoring problem such a monitor solves is computationally more 
involved than the word problem. It solves what we call the prefix problem (of LTL), 
which can easily be shown PSpace-complete by way of LTL satisfiability. 

Definition 4. The prefix problem for LTL is defined as follows. 
Input: A formula ip € LTL(AP) and some trace u <G (2 AP )*. 
Question: Does u <E good(tp) (resp. bad(<p)) hold? 

Theorem 1. The prefix problem for LTL is PSpace-complete. 

Proof. For brevity, we will only show the theorem for bad prefixes. It is easy to see that 
u e bad(<^) iff £(u A X«i A XXw 2 A . . . A <p) = 0. Constructing this conjunction 
takes only polynomial time and the corresponding emptiness check can be performed 
in PSpace [18]. To show hardness, we proceed with a reduction of LTL satisfiability. 
Again, it is easy to see that £(f) ^ iff a ^ bad(X</?) for any a e 2 AP . This reduction 
is linear, and as PSpace = co-PSpace, the statement follows. □ 

We would like to point out the possibility of building an anticipatory though trace- 
length dependent LTL monitor using an "off the shelf" model checker, which accepts 
a propositional Kripke structure and an LTL formula as input. Note that here we make 
the assumption that Kripke structures produce infinite as opposed to finite traces. 

Definition 5. The model checking problem for LTL is defined as follows. 
Input: A formula ip <G LTL(AP) and a Kripke structure JC over 2 AP . 
Question: Does £{JC) C £((p) hold? 

As in LTL the model checking and the satisfiability problems are both PSpace-complete 
[18], we can use a model checking tool as monitor: given that it is straightforward to 
construct JC s.t. £(JC) = u(2 AP )" in no more than polynomial time, we return T to the 
user if £(JC) C £((f) holds, _L if £(JC) C £(-«p) holds, and ? if neither holds. One 
could therefore be tempted to think of monitoring merely in terms of a model checking 
problem, but we shall see that as soon as the logic in question has an undecidable satisfi- 
ability problem this reduction fails. Besides, it can be questioned whether monitoring as 
model checking leads to a desirable monitor with its obvious trace-length dependence 
and having to repeatedly solve a PSpace-complete problem for each new event. 
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3 LTL FO — Formal definitions and notation 



Let us now introduce our first-order specification language LTL FO and related concepts 
in more detail. The first concept we need is that of a sorted first-order signature, given 
as r = (S, F, R), where S is a finite non-empty set of sorts, F a finite set of function 
symbols and R = U U I a finite set of a priori uninterpreted and interpreted predicate 
symbols, s.t. U n I = and R n F = 0. The former set of predicate symbols are 
referred to as U-operators and the latter as I-operators. As is common, 0-ary functions 
symbols are also referred to as constant symbols. We assume that all operators in r 
have a given arity that ranges over the sorts given by S, respectively. We also assume an 
infinite supply of variables, V, that also range over S and where Vfl(FUR) =0. Let 
us refer to the first-order language determined by r as £(r). While terms in £(T) are 
made up of variables and function symbols, formulae of C(r) are defined as follows: 

ip ::=p(ti,...,t n ) | r(ti,...,t n ) | ->ip | ip A ip | Xi^ | <p\iip \ M(x\, . . . ,x n ) : p. ip, 

where ti,...,t n are terms, p £ U, r £ I, and X\ , . . . , x n £ V. As variables are sorted, 
in the quantified formula V(xi, . . . ,x n ) : p.ip, the U-operator p with arity t\ x . . . x r n , 
defines the sorts of variables x\, . . . , x n to be n, . . . , r„, with T t e S, respectively. For 
terms t\, . . . , t n , we say that p(t\, . . . ,t n ) is well-sorted if the sort of every ij is n. 
This notion is inductively applicable to terms. Moreover, we consider only well-sorted 
formulae and refer to the set of all well-sorted £(r) formulae over a signature F in 
terms of LTL^°. When a specific _T is either irrelevant or clear from the context, we will 
simply write LTL FO instead. When convenient and a certain index is of no importance 
in the given context, we also shorten notation of a vector (x\, . . . , x n ) by a (bold) x. 

A F -structure, or just first-order structure is a pair 21 = (|2l|, /), where |2l| = |2t|iU 
. . . U |2l|„, is a non-empty set called domain, s.t. every sub-domain |2l| j is either a non- 
empty finite or countable set (e.g., set of all integers or strings) and I an interpretation. 
/ assigns to each sort n € S a specific sub-domain r/ = |2t|j, to each constant symbol 
c e F of sort Tj a domain value c 1 e |2l|j, to each function symbol / g F of arity 
n x . . . x n — > r m a function f 1 : |2l|i x . . . x |2l|j — > |2l| m , and to every I-operator 
r with arity n x . . . x r TO a relation r 1 C |2l|i x . . . x |2l| m . We restrict ourselves to 
computable relations and functions. In that regard, we can think of / as a mapping 
between I-operators (resp. function symbols) and the corresponding algorithms which 
compute the desired return values, each conforming to the symbols' respective arities. 
Note that the interpretation of U-operators is rather different from I-operators, as it 
is closely tied to what we call a trace and therefore discussed in more detail after we 
introduce the necessary notions and notation. 

For the purpose of monitoring LTL FO specifications, we model observed system 
behaviour in terms of actions: Let p e U with arity n x . . . x r m and d e D p = 
|2l| i x ... x |2t| m , then we call (p, d) an action. We refer to finite sets of actions as 
events. A system's behaviour over time is therefore a finite trace of events, which we 
also denote as a sequence of sets of ground terms {sms(1234)}{Zog , m("user")} . . . 
when we mean the sequence of tuples {(sms, 1234)} {(login, "user")} . . . Therefore 
the occurrence of some action sms(1234) in the trace at position i e No, written 
sms (1234) e Wi, indicates that at time i it is the case that sms (1234) holds (or, from 
a practical point of view, an SMS was sent to number 1234). We follow the convention 
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that only symbols from U appear in a trace, which therefore gives these symbols their 
respective interpretations. The following formalises this notion. 

A first-order temporal structure is a tuple (21, w), where 21 = (|2lo|, ^o)(|2li|i h) 
... is a (possibly infinite) sequence of first-order structures and w — w Wi ... a cor- 
responding trace. We demand that for all 2lj and 2lj + i from 21, it is the case that 
|2LJ = |2l i+ i|, for all / e F, f 1 ^ 1 = f\ and for all r e S, r h = t u +K For 
any two structures, 21 and 21', which satisfy these conditions, we write 21 <~ 21'. More- 
over given some 21 and 21, if for all 2lj from 21, we have that 2lj <~ 21, we also write 
21 ~ 21. Finally, the interpretation of an U-operator p with arity t\ x . . . x r TO is then 
defined wrt. a position i in to as p Ii = {d \ (p, d) € Wi}. Essentially this means that, 
unlike function symbols, U- and I-operators don't have to be rigid. 

Note also that from this point forward, we consider only the case where the policy 
to be monitored is given as a closed formula, i.e., a sentence. This is closely related to 
our means of quantification: a quantifier in LTL FO is restricted to those elements that 
appear in the trace, and not arbitrary elements from a (possibly infinite) domain. While 
certain policies cannot be expressed with this restriction (e.g., "for all phone numbers 
x that are not in the contact list, r(x) is true"), this restriction bears the advantage 
that, when examining a given trace, functions and relations are only ever evaluated over 
known objects. The advantages of this type of quantification in monitoring first-order 
languages has also been pointed out in [13,4]. In other words, had we allowed free 
variables in policies, the monitor might end up having to "try out" all the different 
domain elements in order to evaluate such a policy, which runs counter to our design 
rationale of quantification. 

In what follows, let us fix a particular r. The semantics of LTL FO can now be 
defined wrt. a quadruple (21, w,v,i) as follows, where i e No, and v is an (initially 
empty) set of valuations assigning domain values to variables: 

@L,w,v,i) |=p(ti,. ..,*„) iff (i{',...,t£) ep h , 
(a,w,«,i)J=r(ti,...,t n ) iff (*{',...,#) Sr 1 *, 

(21, w, v, i) \= ~^<p iff (21, w, v, i) \— tp is not true, 
(21, w,v,i) |= ip A ip iff (21, w, v, i) \= <p and (21, w, v, i) \= tp, 

(21, w, v, i) |= X(p iff \w\ > i and (21, w, v, i + 1) |= ip, 
(21, w, v, i) \— LpUip iff for some k > i, (21, w, v, k) \= ip, 
and (21, w, v, j) \= tp for all i < j < k, 
(QL,w,v,i) \= V(xi, . ..,x n ):p.cp iff for all {p,di, . . . ,d n ) e w it 

(21, w, v U {xi di, . . . , x n h-> d n }, i) \= ip, 

where terms are evaluated inductively, and x 1 means v(x). If (21, w, v, 0) |= <p, we write 
(21, w, v) |= <p, and if a particular v is irrelevant or clear from the context, we shortcut 
the latter simply to (21, w) |= tp. 

Later we will also make use of the (possibly infinite) set of all events wrt. 21, given 
as (2l)-Ev = \J peJJ {{p,d) | d E D p }, and take the liberty to omit the trailing (21) 
whenever a particular 21 is either irrelevant or clear from the context. We can then de- 
scribe the generated language of ip, C{p) (or simply the language of tp, i.e., the set of 
all logical models of tp) compactly as C(tp) = {(21, w) \ Wi e 2 Ev and (21, w) \= tp}, 
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although, as before, we shall only ever concern ourselves with either infinite- or finite- 
word languages, but not mixed ones. Finally, we will use common syntactic "sugar", 
including 3(x l7 . . . , x n ) : p. <p = ^(V(x 1; . . . , x n ) : p. -up), etc. 

For brevity, we refer the reader to [5] for some example policies formalised in 
LTL F °. However, to give at least an intuition, let's pick up the idea of monitoring An- 
droid "Apps" again, and specify that "Apps" must not send SMS messages to numbers 
not in a user's contact database. Assuming there exists an U-operator sms, which is 
true / appears in the trace, whenever an "App" sends an SMS message to phone number 
x, we could formalise said policy in terms of GVx : sms. contact(x). Note how in this 
formula the meaning of x is given implicitly by the arity of sms and must match the 
definition of contact. Also note how sms is interpreted indirectly via its occurrence 
in the trace, whereas contact never appears in the trace, even if true, contact can be 
thought of as interpreted via a program that queries a user's contact database, whose 
contents may change over time. 

4 Complexity of monitoring in the first-order case 

LTL FO as defined above is undecidable as can be shown by way of the following lemma 
whose detailed proof is available in the appendix. It basically helps us reduce finite 
satisfiability of standard first-order logic to LTL F °. 

Lemma 1. Let (pbe a sentence in first-order logic, then we can construct a correspond- 
ing tp € LTL FO s.t. <p has a finite model iffip is satisfiable. 

Theorem 2. LTL FO is undecidable. 

Proof (Idea). Follows from Lemma 1 and Trakhtenbrot's Theorem (cf. [16, §9]). 

Let us now define what we mean by Kripke structure in our new setting, and the 
generated language of it. The Kripke structures we consider either give rise to infinite 
languages (i.e., have a left-total transition relation), or represent traces (i.e, are essen- 
tially linear structures). For brevity, we shall restrict to the definition of the former. Note 
that we will also skip detailed redefinitions of the decision problems discussed in §2, 
since the employed concepts transfer in a straightforward manner. 

Definition 6. Given some 21, a (2l)-Kripke structure, or just first-order Kripke structure, 
is a state-transition system JC = (S, So, A, — >), where S is a finite set of states, sq E S 
a distinguished initial state, A : S — > 21 x Ev, where 21 = {21' | 21' <~ 21}, a labelling 
function, and — >-C S x S a (left-total) transition relation. 

Definition 7. For a (ty-Kripke structure JC with states sq, . . . , s n , the generated lan- 
guage is given as £(JC) — {(21, w) | (2lo,wo) = A(s ) and for all i e N there exist 
some j,k G [0,n] s.t. (2^,1^) = X(sj), (2lj_i, = X(s k ) and {s k ,Sj) G— >}. 

The inputs to the LTL FO word problem are therefore an LTL FO formula and a linear 
first-order Kripke structure, representing a finite input trace. Unlike in standard LTL, 
we note that 
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Theorem 3. The word problem for LTL FO is PSpace-complete. 

The inputs to the LTL FO model checking problem, in turn, are a left-total first-order 
Kripke structure, which gives rise to an infinite-trace language, and an LTL FO formula. 

Theorem 4. The model checking problem for LTL FO is in ExpSpace. 

The reason for this result is that we can devise a reduction of the LTL FO model checking 
problem to LTL model checking, using exponential space. While it is easy to obtain a 
PSpace-lower bound, for example via a reduction of the LTL FO word problem, we 
currently do not know how tight these bounds are and, therefore, leave this as an open 
problem. Note also that the results of both Theorem 3 and Theorem 4 are obtained even 
without taking into account the complexities of the interpretations of function symbols 
and I-operators; that is, for these results to hold, we assume that interpretations do not 
exceed polynomial, resp. exponential space. 

We have seen in §2 that the prefix problem lies at the heart of an anticipatory mon- 
itor. While in LTL it was possible to build an anticipatory monitor using a model 
checker (albeit a very inefficient one), Theorem 5 shows that this is no longer possi- 
ble for LTL F °. Its proof makes use of the following intermediate lemma. 

Lemma 2. Let 21 be a first-order structure and ip € LTL FO , then C(p)% — {(21, w) \ 
21 ~ 21, w € (2 Ev )", and (21, w) |= ip}. Testing if£(ip)<% ^ is generally undecidable. 

Proof (Idea). By a reduction from Post's Correspondence Problem. 

Theorem 5. The prefix problem for LTL FO is undecidable. 

Proof (Idea). Similar to Theorem 1: (21, a) e bad(X^) iff £(<p) a = for any a e Ev. 

5 Monitoring LTL FO 

A direct consequence of Theorem 5 is that there cannot exist a complete monitor for 
LTL FO -definable infinite trace languages. Yet one of the main contributions of our work 
is to show that one can build a sound and efficient LTL FO monitor using a new kind of 
automaton. Before we go into the details of the actual monitoring algorithm, let us 
first consider the automaton model, which we refer to as spawning automaton (SA). 
SAs are called that, because when they process their input, they potentially "spawn" a 
positive Boolean combination of "children SAs" (i.e., subautomata) in each such step. 
Let B + (X) denote the set of all positive Boolean formulae over the set X. We say 
that some set Y C X satisfies a formula (3 e B + (X), written Y \= /?, if the truth 
assignment that assigns true to all elements in Y and false to all X — Y satisfies /?. 

Definition 8. A spawning automaton, or simply SA, is given by A = (£, I, Q, Qo, 

Si, T), where S is a countable set called alphabet, I G No the level of A, Q a finite 
set of states, Qq C Q a set of distinguished initial states, a transition relation, 
5± what is called a spawning function, and T = {F\, . . . , F n \ Fi C Q} an accep- 
tance condition (to be defined later on). is given as <5_>. : Q x S — > 2®. The 
spawning function <5j. is then given as £4. : Q X £ — > B + (A <1 ), where A <1 = {A' \ 
A' is an SA with level less than I}. 
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Definition 9. A run of A = (£, I, Q, Qo, £4., -T 7 ) over an input sequence w £ Z 1 " 
is a mapping p : No — >■ Q, s.f. p(0) £ Qo and p(i + 1) £ 5^{p{i),Wi) for all i £ No- 
p is locally accepting if Inf(p) ("1 Fj ^ /or aii £ J 7 , vv/zere Inf (p) denotes the set of 
states visited infinitely often. It is called accepting if I = and it is locally accepting. 
If I > 0, p is called accepting if it is locally accepting and for all i € No there is a set 
Y C A <1 , s.t. Y \= 5i(p(i),Wi) and all automata A' £ Y have an accepting run, p', 
over w*. The accepted language of A, C{A), consists of all w £ £ u ,for which it has at 
least one accepting run. 

5.1 Spawning automata construction 

Given some tp £ LTL FO , let us now examine in detail how to build the correspond- 
ing SA, A v = (£, I, Q, Qo, Si, F) s.t. £(A V ) — £(<p) holds. To this end, we set 
E = {(21, a) I a G (2t)-Ev}. If tp is not a sentence, we write A v , v to denote the 
spawning automaton for tp in which free variables are mapped according to a finite set 
of valuations v. 2 To define the set of states for an SA, we make use of a restricted sub- 
formula function, sf|v(<£>), which is defined like a generic subformula function, except 
if tp is of the form V x : p. ip,we have sf|v(<£>) = {tp}- This essentially means that an 
SA for a formula tp on the topmost level looks like the Biichi automaton (BA, cf. [2]) 
for tp, where quantified subformulae have been interpreted as atomic propositions. 

For example, if tp = tp A V x : p.ip', where tp is a quantifier-free formula, then A v , 
at the topmost level n, is like the BA for the LTL formula tp A a, where a is an atomic 
proposition; or in other words, A v handles the subformula Vcc : p. tp' separately in 
terms of a subautomaton of level n — 1 (see also definition of 5± below). 

Finally, we define the closure of tp wrt. si\y(tp) as c\(tp) — {^tp \ tp e sf|y (<£>)} U 
sf \y(tp), i.e., the smallest set containing sf|v(</>), which is closed under negation. 

The set of states of A v , Q, consists of all complete subsets of c\(tp); that is, a set 
q C c\(tp) is complete iff 

• for any tp e cl(^s) either tp € q or -<ip e q, but not both; and 

• for any tp A tp' <E c\(tp), we have that tp A tp' £ q iff tp € q and tp' e q; and 

• for any tpUtp' £ cl(tp), we have that if tpUtp' e q then tp' e q or tp e q, and if 
tpUtp' £ q, then tp' £ q. 

Let q € Q and 21 = (|2l|, /). The transition function S^(q, (21, a)) is defined iff 

• for all p(t) £ q, we have t 1 £ p 1 and for all ~^p(t) £ q, we have t 1 £ p 1 , 

• for all r(t) £ q, we have t 1 £ r 1 and for all ->r(t) £ q, we have t 1 £ r 1 . 

In which case, for any q' £ Q, we have that q' £ <5_>. (q, (21, a)) iff 

• for all Xtp £ cl(tp), we have Xtp £ q iff tp £ q', and 

• for all tpUtp' £ cl(tp), we have tpUtp' £ q iff tp' £ q or tp £ q and tpUtp' £ q' . 

2 Considering free variables, even though our runtime policies can only ever be sentences, is 
necessary, because an SA for a policy tp is inductively defined in terms of SAs for its subfor- 
mulae (i.e., A/s subautomata), some of which may contain free variables. 
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This is similar to the well known syntax directed construction of BAs (cf. [2]), except 
that we also need to cater for quantified subformulae. For this purpose, an inductive 
spawning function is defined as follows. If I > 0, then 5±(q, (SI, a)) yields 

A ( A ^'))a( a ( V 

yVx-.p.lpeq \(p,d)e<7 / / \-,Vx:p.ipeq \(p,d)£a 

where v' = v U {x i-> d} and v" = v U {x i-> <i} are sets of valuations, otherwise 
£|.(<Z; (21, cr) ) yields T. Moreover, we set Q = {q G Q | V 5 € <2}> = {-^Vu^' I 
V>U^' G cl(v?)} with i^uv = {<? e Q | V' e q V -i(ip()ip') G <?}, and I = depth(^), 
where dcpth^) is called the quantifier depth of 95. For some tp G LTL FO , depth(<p) = 
iff <p is a quantifier free formula. The remaining cases are inductively defined as 
follows: depth(Va; : p. ip) = 1 + depth(^), depth(^ A ip') = depth(ipUip r ) = 
max(depth(^), depth(^')) and depth(^) = depth(Xi^) = depth((/j). 

Lemma 3. Let e LTL FO (not necessarily a sentence) and v be a valuation. For each 
accepting run p in A VtV over input (21, w), ip e c\((p), and i > 0, we have that tp G p(i) 
iff{%w,v,i) \= ip. 

Proof (Idea). By nested induction on dcpth(< ) 5) and the structure of ip £ cl(<p). 

Theorem 6. The constructed SA is correct in the sense that for any sentence tp G 
LTL FO , we have that C(A V ) = C(ip). 

Proof (Idea). C by Lemma 3. The other direction uses induction on depth(y>). 



5.2 Monitor construction 



Before we look at the actual monitor construction, let us first introduce some additional 
concepts and notation: For a finite run p in A v over (21, it), we call Si(p(j), (Slj, Uj)) = 
oblj an obligation, where < j < \u\, in that obi j represents the language to be 
satisfied after j inputs. That is, oblj refers to the language represented by the positive 

Boolean combination of spawned SAs. We say it is met by the input, if (Sl^u- 7 ) G 

good(oMj) and violated if (Sl J ,u J ) G bad(o6Zj). Furthermore, p is called potentially 
locally accepting, if it can be extended to a run p' over (SI, u) together with some infinite 
suffix, such that p' is locally accepting. 

The monitor for a given formula p G LTL FO can now be described in terms of 
two mutually recursive algorithms: The main entry point is Algorithm M. It reads an 
event and issues two calls to a separate Algorithm T, one for p (under a possibly empty 
valuation v) and one for -up (under a possibly empty valuation v). The purpose of 
Algorithm T is to detect bad prefixes wrt. the language of its argument formula, call it 
tp. It does so by keeping track of those finite runs in A$ tV that are potentially locally 
accepting and where its obligations haven't been detected as violated by the input. If 
at any time not at least one such run exists, then a bad prefix has been encountered. 
Algorithm T, in turn, uses Algorithm M to evaluate if obligations of its runs are met or 
violated by the input observed so far (i.e., it inductively creates submonitors): after the 
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ith input, it instantiates Algorithm M with argument ip' (under corresponding valuation 
v') for each Aj,iy that occurs in obli and forwards to it all observed events from time 
point i on. 

Algorithm M (Monitor). The algorithm takes a ip e LTL FO (under a possibly empty 
valuation v). Its abstract behaviour is as follows: Let us assume an initially empty 
first-order temporal structure (21, u). Algorithm M reads an event (21, a), prints "T" 
if (2121, ug) e good(<^) (resp. "_L" for bad(y)), and returns. Otherwise it prints "?", 
whereas we now assume that (21, u) = (2121, ua) holds. 3 

Ml. [Create instances of Algorithm T.] Create two instances of Algorithm T: one with 
ip and one with ^ip, and call them T ViV and T-, ViV , respectively. 

M2. [Forward next event.] Wait for next event (21, a) and forward it to T VtV and T-, v , v . 

M3. [Communicate verdict.] If T v , v sends "no runs", print _L and return. If T-, ViV sends 
"no runs", print T and return. Otherwise, print "?" and go to M2. I 

Algorithm T (Track runs). The algorithm takes aip E LTL FO (under a corresponding 
valuation v), for which it creates an SA, A VlV . It then reads an event (21, a) and returns, 
if A VlV , after processing (21, a), does not have any potentially locally accepting runs, 
for which obligations haven't been detected as violated. Otherwise, it saves the new 
state of A v _ v , waits for new input, and then checks again, and so forth. 

Tl. [Create SA.] Create an SA, A VtV , in the usual manner. 

T2. [Wait for new event.] Let (21, a) be the event that was read. 

T3. [Buffer with runs.] Let B and B' be (initially empty) buffers. If B = 0, for each 
q e Q and for each q' e 5^.(q, (21, a)): add (q 1 , [5±(q, (21, a))}) to B. Otherwise, 
set B' = B, and subsequently B = 0. Next, for all (q, [obli, . . . , obl n ]) £ B' and 
for all q' e S-^(q, (21, a)): add (q 1 , [obl new , obli, . . . , obl n ]) to B, where obl new = 
Si(q, (21, a)). 

T4. [Create submonitors.] For each (q, [obl new , obh . . . , obl n ] ) e B: call Algorithm M 
with argument ip (under corresponding valuation v') for each A^y that occurs in 
obl new . 

T5. [Iterate over candidate runs.] Assume B = {bo, ■ ■ ■ , b m }. Create a counter j = 
and set (q, [obl a , . . . , obl n ]) = bj to be the jth element of B. 

T6. [Send, receive, replace.] For all < i < n: send (21, a) to all submonitors corre- 
sponding to SAs occurring in oblu and wait for the respective verdicts. For every 
returned T (resp. _L) replace the corresponding SA in obli with T (resp. _L). 

T7. [Corresponding run has violated obligations?] For all < i < n: if obli = -L. 
remove bj from B, set j to j + 1, and go to T6. 

T8. [Obligations met?] For all < i < n: if obli = T, remove obli. 

T9. [Next run in buffer.] If j < m, set j to j + 1 and repeat step T6. 
T10. [Communicate verdict.] If B = 0, send "no runs" to the calling Algorithm M and 

return, otherwise send "some run(s)" and go back to T2. I 



3 Obviously, the monitor does not really keep (21, u) around, or it would be necessarily trace- 
length dependent. (21, u) is merely used here to explain the inner workings of the monitor. 
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For a given tp G LTL FO and (21, u), let us use M y (2l, u) to denote the successive 
application of Algorithm M for formula tp first on u , then ui, and so forth. We then get 

Theorem 7. M v (f&,,u) = T => (21, u) e good(i^) (resp.for _L and bad(^)J. 

Proof (Idea). By nested induction over depth(y>) and the length of (21, u). 

5.3 Experimental results 

To demonstrate the feasibility of our proposed algorithm and to get an intuition on 
its runtime performance (i.e., average space consumption at runtime), we have imple- 
mented the above. The only liberty we took in deviating from our description is the 
following: since the SAs for tp e LTL FO on the different levels basically consist of 
ordinary BAs for the respective subformulae of tp, we have used an "off the shelf" 
BA generator, lbt 4 , instead of expanding the state-space ourselves. We also compared 
our implementation with the somewhat naive (but, arguably, easier to implement) ap- 
proach of monitoring LTL FO formulae, described in [5]. There, we used the well-known 
concept of formula rewriting, sometimes referred to as progression: a function, P, con- 
tinuously "rewrites" a formula tp e LTL FO using an observed event, a, in order to 
obtain a new formula, tp', that states what has to be true now and what in the fu- 
ture. If tp' = T, then a e gooA(tp'), if tp' = _L then a e bad(<//), otherwise the 
thereby realised monitor waits for further events to apply its progression function to. 
P rewrites according to the well-known fixpoint characterisations of LTL operators, 
such as P(Gtp, a) = P(tp, a) A Gtp. This is a well established principle to evaluate LTL 
formulae over traces in a stepwise manner (cf. [1]). 

Some results of this comparison are visualised in Fig. 1. For each LTL FO formula, 
we randomly generated 5 traces of length 100 and passed them to the respective al- 
gorithm. The x-axis marks the trace length, the y-axis the space consumption of the 
monitors; that is, the length of the formula after progression vs. the number of automata 
states. In graph (a) the divergence between both approaches is the most striking as it 
highlights one of the potential problems of progression, namely that a lot of redundant 
information can accumulate: If Vrr : p. r(x) ever becomes true, then P will produce a 
new conjunct GVy : q. s(y) for each new event, even though semantically it makes no 
difference. In comparison, the automata-based monitor's size, measured in terms of the 
number of SA states, stays more or less constant throughout the trace. This can be ex- 
plained by the fact that for syntactically different, but semantically equivalent formulae 
our BA generator usually produces the same automaton (as is clearly the case in this 
example). 

With minor but noteworthy exceptions, the straight blue lines of (b) and (d) mirror 
(and scale) the dashed black lines, which means that our monitor is on average smaller 
by some degree, but in the long run not substantially smaller. Note how, unlike in (b), 
the straight blue lines in (d) are not exact scaled copies of the black dashed lines, in that 
the graph depicting the performance of progression has a number of spikes. As the input 
traces for the monitors are randomly generated, the time when Vy : q. Xs(y) becomes 

4 http://www.tcs.hut.fi/Software/maria/tools/lbt/ 
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true differs, and hence the size of the progressed formula may increase, whereas the 
automata-based monitor stays small for the same reasons as outlined above in (a). 

Finally, the graph of (c) is interesting in that both monitors show a tendency to grow 
over time. The reason for that is that the right hand side of the U-operator in (c), Xs(x), 
makes use of the same x which is quantified on the left hand side. For example, if 
the events are given by {{p(l),p(2)}, {p(3),p(4), p(5)}}, the monitor would have to 
remember all the domain elements of the U-operator until Xs(l) A Xs(2) and Xs(3) A 
Xs(4) AXs(5) hold. Depending on how late in the trace this is the case (if ever), memory 
consumption increases for both monitors. 



(a) G(Vx : p. r{x) GVy : q.s(y)) 




(b) G(Va: : p. r(x) =>• Xs(x)) 
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(c) G(Vx : p. r(x)UXs(x)) (d) G(Vz : p. r(a;)U„Vi/ : q. Xs(y)) 

Fig. 1. Automata- (blue lines) vs. progression-based (black dashed lines) LTL FO -monitoring. 



6 Related work 

This is by no means the first work to discuss monitoring of first-order specifications. 
Mainly motivated by checking temporal triggers and temporal constraints, the moni- 
toring problem for different types of first-order logic has been widely studied in the 
database community, for example. In that context, Chomicki [7] presents a method 
to check for violations of temporal constraints, specified using (metric) past temporal 
operators. The logic in [7] differs from LTL FO in that it allows natural first-order quan- 
tification over a single countable and constant domain, whereas quantified variables in 
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LTL FO range over elements that occur at the current position of the trace (see also [13, 
4]). Presumably, to achieve the same effect, [7] demands that policies are what is called 
"domain independent", so that statements are only ever made wrt. known objects. As 
such, domain independence is a property of the policy and shown to be undecidable. 
In contrast, one could say that LTL FO has a similar notion of domain independence 
already built-in, because of its quantifier. Like LTL FO , the logic in [7] is also undecid- 
able; no function symbols are allowed and relations are required to be finite. However, 
despite the fact that the prefix problem is not phrased as a decision problem, its basic 
idea is already denoted by Chomicki under the notion of a potential constraint satis- 
faction problem. In particular, he shows that the set of prefixes of models for a given 
formula is not recursively enumerable. On the other hand, the monitor in [7] does not 
tackle this problem and instead solves what we have introduced as the word problem, 
which, unlike the prefix problem, is decidable. 

Basin et al. [3] extend Chomicki's monitor towards bounded future operators using 
the same logic. Furthermore, they allow infinite relations as long as these are repre- 
sentable by automatic structures, i.e., automata models. In this way, they show that the 
restriction on formulae to be domain independent is no longer necessary. LTL FO , in 
comparison, is more general, in that it allows computable relations and functions. 

The already cited work of Halle and Villemaire [13] describes a monitor for a logic 
with quantification identical to ours, but without function symbols and only equality in- 
stead of arbitrary computable relations. Furthermore, the size of the individual worlds is 
a priori bounded by a fixed value. Additionally, their monitor is fully generated "on the 
fly" by using syntax-based decomposition rules, similar to formula progression. In our 
approach, however, it is possible to pre-compute the individual BAs for the respective 
subformulae of a policy/levels of the SA, and thereby bound the complexity of that part 
of our monitor at runtime by a constant factor. 

Sistla and Wolfson [19] also discuss a monitor for database triggers whose condi- 
tions are specified in a logic, which uses an assignment quantifier that binds a single 
value or a relation instance to a global, rigid variable. Their monitor is represented by a 
graph structure, which is extended by one level for each updated database state, and as 
such proportional in size to the number of updates. 

7 Conclusions 

To the best of our knowledge, our monitoring algorithm is the first to devise anticipatory 
monitors, i.e., address the prefix problem instead of a (variant of the) word problem, for 
policies given in an undecidable first-order temporal logic. Moreover, unlike other ap- 
proaches, such as [19, 13] and even [5], we are able to precompute most of the state 
space required at runtime (i.e., replace step Tl in Algorithm T with a look-up in a pre- 
computed table of SAs and merely use a new valuation), as the different levels of our 
SAs correspond to more or less standard BAs that can be generated before monitoring 
commences. Moreover as required, our monitor is monotonic and in principle trace- 
length independent. The latter, however, deserves closer examination. Consider the for- 
mula given in Fig. 1 (c): it basically forces the monitor to memorise all occurrences 
of p in every event and keep them until s(x) holds, respectively. If s(x) never holds 
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Table 1. Overview of complexity results. 





Satisfiability 


Word problem 


Model checking 


Prefix problem 


LTL 


PSpace-complete 


< Bilinear-time 


PSpace-complete 


PSpace-complete 


LTL FO 


Undecidable 


PSpace-complete 


ExpSpace-membership, 
PSpace-hard 


Undecidable 



(or not for a very long time), the space consumption of the monitor is bound to grow. 
Hence, unlike in standard LTL, trace-length dependence is not merely a property of the 
monitor, but also of the specification. We have not yet investigated whether trace-length 
dependence is decidable and if so, at what cost. However, if the formula is not trace- 
length dependent, then our monitor is trace-length independent, as desired. Given a 
<p e LTL FO of which we know that it is trace-length independent in principle, our mon- 
itor's size at runtime at any given time is bounded by 0(|<7| depth ( v ) •2l c ^ ¥ '^), where a is 
the current input to the monitor: Throughout the depth(</?) levels of the monitor, there 
are a total of 0(|er| dcpth ( v )) "submonitors", which are of size 0(2^ cL ^), respectively. 
In contrast, the size of a progression-based monitor, even for obviously trace-length in- 
dependent formulae, such as given in Fig. 1 (a) is, in the worst case, proportional to the 
length of the trace so far. 

In Table 1 we have summarised the main results of §2— §4, highlighting again the dif- 
ferences of LTL compared to LTL F °. Note that as far as trace-length dependence goes, 
for LTL it is always possible to devise a trace-length independent monitor (cf. [6]). 

Acknowledgements. Our thanks go to Patrik Haslum, Michael Norrish and Peter Baum- 
gartner for helpful comments on earlier drafts of this paper. 
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A Detailed proofs 



Lemma 1. Let ip be a sentence in first-order logic, then we can construct a correspond- 
ing ip £ LTL FO s.t. ip has a finite model iff ip is satisfiable. 

Proof. We construct ip as follows. We first introduce a new unary U-operator d whose 
arity is r and that does not appear in <p. We then replace every subformula in ip, which 
is of the form \/x. 9, with Vx : d. 9 (resp. for 3a;. 0). Next, we encode some restrictions 
on the interpretation of function and predicate symbols: 

• For each constant symbol c in p>, we conjoin the obtained ip with d(c). 

• For each function symbol / in ip of arity n, we conjoin the obtained ip with Vxi : 
d. ...Vx„ : d. d(f(x 1 ,...,x n )). 

• For each predicate symbol p in (p of arity n, we conjoin the obtained ip with 
V(xi, . . . , x n ) : p. d(xi) A ... A d(x n ). 

• We conjoin 3x : d. d(x) to the obtained ip to ensure that the domain is not empty. 

Finally, we fix the arities of symbols in ip appropriately to one of the following r, 

TX...XT,TX...XT^-T. 

Obviously, the formula ip, constructed by the procedure above, is a syntactically cor- 
rect LTL FO formula. Now, if ip is satisfiable by some (21', a), where 21' = (|2l'|, /') and 
<J £ (2t')-Ev, it is easy to construct a finite model 21 = (|2l|, I) s.t. 21 1= <p> holds in the 
classical sense of first-order logic: set |2l| — d 1 , c 1 = c 1 , f 1 = f 1 \ d i> x xd i>, p 1 = 
p 1 , respectively. By an inductive argument one can show that the LTL FO semantics is 
preserved. The other direction, if ip is finitely satisfiable, is trivial: set |2l'| = t 1 = |2t|, 
c 1 ' = c 1 , f 1 ' = f 1 , respectively, and a = {(p, e) | e £ p 1 } U {(d, e) | e £ |2l|}. □ 

Theorem 3. The word problem for LTL FO is PSpace-complete. 

Proof. To evaluate a formula <p £ LTL FO over some linear Kripke structure, JC, we can 
basically use the inductive definition of the semantics of LTL FO : If used as a function, 
starting in the initial state of JC, sq, it evaluates ip in a depth-first manner with the 
maximal depth bounded by \p\. 

To show hardness, we reduce the following problem, which is known to be PSpace- 
complete: Let F = QiX\. Q2X2- ■ ■ .Q n x n - E{x\, x 2 , ■ ■ ■ , x n ), where Q £ {V, 3} 
and E is a Boolean expression over variables x\, X2, ■ ■ ■ , x n . Does F evaluate to T (cf. 
[11])? The reduction of this problem proceeds as follows. We first construct a formula 
p £ LTL FO in prenex normal form, 

p = Q\X\ : d. Q 2 x 2 : d. ... Q n x n : d. E(p Xl (x 1 ),p X2 (x 2 ), . . . ,p Xn (x n )). 

Then, using an U-operator p Xi for every variable Xi, we construct a singleton Kripke 
structure, JC, s.t. A(s ) = (21, {(d, 0), (d, 1), (p Xl , 1), (p X2 , 1), . . . , (p Xn , 1)}), where 
|2l| = {0, 1} and / defined accordingly. It can easily be seen that F evaluates to T 
iff JC is a model for p. Moreover, this construction can be obtained in no more than a 
polynomial number of steps wrt. the size of the input. □ 

Theorem 4. The model checking problem for LTL FO is in ExpSpace. 
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Proof. For a given <p e LTL FO and (Sl)-Kripke structure JC denned as usual, where 
21 = (|2t|,7), we construct a propositional Kripke structure JC' and ip' e LTL, s.t. 
C(JC) C £(</?) iff C(JC') C holds. Assuming variable names in </? have been 

adjusted so that each has a unique name, the construction of p' proceeds as follows. 

Wlog. we can assume |2l| to be a finite set {do, . . . , d n }. We first set ip' to <p and 
extend the corresponding r by the constant symbols a , . . . , ca n , s.t. c d . — du respec- 
tively; that is, we add the respective interpretations of each c di to I. This step obviously 
does not require more than polynomial space. We then replace all subformulae in ip' of 
the form v = Q x : p. ip(x) exhaustively with the following constructed ip': 

• Set V' = T. 

• For each state se5do the following: 

• Let T = {d | A(s) = (21', a), 21' ~ 21 and (p, d) e cr}. 

• If Q = V, then 

?// = i/>' A (s => y\ 7/>(a;)[c/a;]),where c is s.t. c 7 = d, 

otherwise 

ip' = i/)' A (s => \J ip(x)[c / x}) , where c is s.t. c 7 = d, 

where s is a fresh, unique predicate symbol meant to represent state s. 
Then, for all subformulae in ip' of the form s => ip we do the following: 

• For each r(t) occurring in ip, where r e R and t are terms, let d — t 1 , and replace 
r(t) by a fresh, unique predicate symbol Td- 

It is easy to see that, indeed, p' is a syntactically correct standard LTL formula, where 
all quantifiers have been eliminated. In terms of space complexity, note that in the first 
loop, we replace each quantified formula by an expression at least \K\ times longer 
than the original quantified formula. In the worst case, the final formula's length will be 
exponential in the number of quantifiers. 

We now define the propositional Kripke structure JC' = (S' , s' , A', — >•') as follows. 
Let S' — S, s' = so, and —/=—»•. In what follows, let s be a state and A(s) = 
((|2t|, I), cr). (Note, this is the labelling function of JC.) The alphabet of JC' is given by 
2 AP , where AP = {r d \ r e R and d e |2t|} U {S \ s e S}. Finally, we define the 
labelling function of JC' as A'(s) = {§} U {rd | r E R and r 1 (d) is true}. It is easy to 
see that, indeed, JC' preserves all the runs possible through JC. 

One can show by an easy induction on the structure of ip' that, indeed, C{JC) C C(<p) 
mC{JC') C C(p') holds. ' □ 

Lemma 2. Let 21 be a first-order structure and tp e LTL FO , then L{p)% = {(21, w) | 
21 ~ 21, to e (2 Ev ) w , and (21, w) |= ^}. Testing if £(</>)a 7^ is generally undecid- 
able. 

Proof. Let X = (xi, yi), . . . , (xk, Vk) be an instance of Post's Correspondence Prob- 
lem over £ = {0, 1}, where Xi,yt G S + , which is known to be undecidable in this 
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form. Let us now define a formula <pk = 3^ : z. pcp{")), a structure 21 = (E + ,I), s.t. 
pcp^u) u = x il . . . x in — y il . . . y in , where u G S + and pep is of corresponding 
arity. Obviously, pep 1 (u) can be computed in finite time for any given u. Let us now 
show that £(<Pk)<& 7^ iff K has a solution. 

(=>:) Because C((Pk)vi 7^ 0, let's assume there is a word u G i7 + st. (z, u) G cr and 
(21, cr) G C-{ipk)*&- By the choice of pep 1 , there exists a sequence of indices, ii, . . . ,i n , 
st. u = x^ . . . x in — y il . . . y in , i.e., K has a solution. 

(<=:) Let's assume if has a solution, i.e., there exists a word u G S + and a se- 
quence of indices, i\, . . . , i n , st. u = x^ . . . Xi n = y^ . . . yi n . We now have to show 
that £((Pk)%. 7^ 0- For this purpose, set a = {(z, u)}, then (21, cr) G C{<Pk)% and, 
consequently, C{<Pk)% 7^ 0- □ 

Theorem 5. The prefix problem for LTL FO is undecidable. 

Proof. By way of a similar reduction used in Theorem 1 already, i.e., for any tp, 21, and 
cr G Ev we have that (21, cr) G ba,d(Xp) iff C((p)% = 0. The <=-direction is obvious. 
For the other direction: 

(21, cr) G bad(X<^) 

for all 2T ~ 21 and 10 G Ev", we have that (2121, aw) ^ Xtp 
=> for all 21 ~ 21 and to G Ev", we have that (21, w) fy= tp 
=> C(tp)% = (which is generally undecidable by Lemma 2). 

□ 

Lemma 3. Let tp G LTL FO (not necessarily a sentence) and v be a valuation. For each 
accepting run p in A VlV over input (21, w), ip G cl(<p), and z > 0, we have that tp G p(i) 
ift(9L,w,v,i) \= ip. 

Proof. We proceed by a nested induction on dcpth(tp) and the structure of ip € cl(y>). 
For the base case let depth(<^) = 0: We fix p to be an accepting run in A VlV over (21, tv), 
and proceed by induction over those formulae tp G c\(ip) which are of depth zero (i.e., 
without quantifiers) since dcpth(<^) = 0. Therefore, this case basically resembles the 
correctness argument of Biichi automata for propositional LTL (cf. [2, §5]). For an 
arbitrary i > 0, we have 

• tp = r(t): 

r(t) G p(i) <=>■ t h G r h (by the definition of 

where, as before, for any variable a; in t, by x !i we mean v(x) 
^ (%w,v,i) \= r(t) (by the semantics of LTL FO ) 

• tp = p(t): analogous to the above. 
m tp = —iip': 

-iip' G p(i) tp' ^ p(i) (by the completeness assumption of all q G Q) 
<=> (21, w, v, i) Y= tp' (by induction hypothesis) 
^ (21, w, v, i) \= ->tp' (by the semantics of LTL FO ) 
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• v = ipi a fa'- 

V'l A ip2 € {^1, ^2} C p(i) (by the completeness assumption of all q £ Q) 

<^=> (21, w, w, i) |= an d (21; w 7 w 7 *) |— ^2 (by induction hypothesis) 
4^ (21, io, v, i) |= Vi A ^2 (by the semantics of LTL FO ) 

• </, = x^': 

Xtp' £ p(i) ^ if)' £ p(i + 1) (by the definition of 

<=> (21, to, u, i + 1) |= t// (by induction hypothesis) 
(21, to, u, i) |= X^' (by the semantics of LTL FO ) 

• tp = ipiUfa'. we first show the ^-direction. For this, let us first show that there is 
a j > z, such that (21, w, v, j) \= tp 2 holds. For suppose not, then for all j > i, we 
have that (21, to, v,j) \/= tp2 and, consequently, by induction hypothesis tp 2 & p(j)- 
By definition of since ipi\Jip 2 € p(i) and there isn't a j s.t. r/>2 € p(j)> we have 
that -01 € p(i) for all j > 0. On the other hand, p is accepting in A v , thus 
there exist infinitely many j > i, s.t. tpiUip2 & p(j) or ip 2 G by the definition 
of the generalised Biichi acceptance condition T, which is a contradiction. Let us, 
in what follows, fix the smallest such j. We still need to show that for alH < k < j, 
(21, to, v, k) |= ipi holds. As j is the smallest such j, where ip 2 € p(j) it follows 
that ip2 & p(k) for any such k. As ^>iUi/>2 € p(i), it follows by definition of 6->. 
that i/'i € p(i) and ipiUip 2 £ p(i + 1). We can then inductively apply this argument 
to alH < k < j, such that ip\ £ p(k) and ipiUip2 £ p(k + 1) hold. The statement 
then follows from the induction hypothesis. 

Let us now focus on the -^-direction, i.e., suppose (21, w, v, i) \= V>iUV>2 implies 
that ipiUip 2 £ p(i). By assumption, there is a j > i, such that (Ql,w,v,j) \= ip2 
and for all i < k < j, we have that (21, to, v, k) \= ipi. Therefore, by induction 
hypothesis, ip 2 £ p(j) and tpi £ p(k) for all such k. Then, by the completeness 
assumption of all q £ Q, we also get ^>iU^> 2 € Pj< an d if .7 = i, we are done. 
Otherwise with an inductive argument similar to the previous case on k = j — 1, 
k = j — 2, . . . , k = i, we can infer that V'lUf/^ £ p(k). 

Let depth(i^) = n > 0, i.e., we suppose that our claim holds for all formulae with 
quantifier depth less than n. We continue our proof by structural induction, where the 
quantifier free cases are almost exactly as above. Therefore, we focus only on the fol- 
lowing case. 

• if; = Vx : p. t[j': for this case, as before with the U-operator, we will first show the 
^-direction, i.e., for alH > we have \/x : p. ip' £ p(i) implies (21, w,v,i) \= 
\/x :p.i\)'. By the semantics of LTL FO , the latter is equivalent to for all (p, d) £ w i7 
(21, id,»U{j;h} d}, i) \= ip'. If there is no (p, d) £ tOj the statement is vacuously 
true. Otherwise, there are some actions (p, d) £ wi and 

5 l {p(i),(Vl i ,w i )) = BA /\ A// 

,uU{xi->d} ? 

where B is a Boolean combination of SAs corresponding to the remaining elements 
in p(i). As p is accepting in A v , v , there exists a Yi satisfying 5±(p(i), (2lj, tOj)), s.t. 
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all A E Yi have an accepting run on input (QC,w z ). It follows that Yi contains 
an automaton A,p> M { x ^d} for eacn action (p, d) E Wi that has an accepting run 
p' . As the respective levels of these automata is n — 1, we can use the induction 
hypothesis and note that the following holds true for each of the . v u{x^d} <= Yp. 

for all: v E c\{tp') and I > 0, v E p'(l) iff (21, w,v U {x ^ d},i + I) \= v, 

We can now set v = tp', respectively, and I = 0, from which it follows that tp' E 
p'(0) iff (21, w,v U {x i y d},i) \= tp', respectively. As by construction of an 
SA the initial states of runs contain the formula which the SA represents, we have 
tp' E p'(0) and hence (21, w, v U {x i-> d},i) \= tp', respectively. As this holds 
for all ^', v u{xi->d}> where (p, d) G Wi, it follows by semantics of LTL FO that 
(21, w, v, i) \~ Vx : p. tp' . 

Let us now consider the <*= -direction, i.e., (21, w, v, i) j= Vas : p. tp' implies Vcc : 
p. tp' e p(i), which we show by contradiction. Suppose Va; : p. tp' £ p(i), which 
implies by the completeness assumption of all q E Q that ^Va; : p. tp' e p(i) holds. 
If there is no (p, d) e w i7 then 5±(p(i), (21^, Wi)) is equivalent to _L and p could not 
be accepting. Therefore there must be some (p, d) € Wi, s.t. 



where B is a Boolean combination of SAs corresponding to the remaining ele- 
ments in p(i). Because p is accepting in A v . v , there exists a Y it such that Y t \= 
5i(p(i), (2ti,Wi)), and there is at least one SA, A' = A^> . vU {x^d} <= ^ with 

corresponding (p, d) E Wi, s.t. (21* , w l ) is accepted by A' as input; that is, A' has 
an accepting run, p', on said input. As this automaton's level is n — 1, we can apply 
the induction hypothesis and obtain 

for all: v E cl(^V') and / > 0, v E p\V) iff (2t, w, v U {x ^ d}, i + I) \= v. 

We can now set v = -^tp' and I = 0, and since v belongs to the initial states in 
accepting runs, we derive (21, w, v U {x d}, i) \— -itp', which is a contradiction 
to our initial hypothesis. □ 

Theorem 6. The constructed SA is correct in the sense that for any sentence ip E 
LTL FO , we have that ClA^p) = C(ip). 

Proof. C: Follows from Lemma 3: let p be an accepting run over (21, w) in A v . By 
definition of an (accepting) run, ip E p(0), and therefore (21, w) E £(<p)- 

D: We show the more general statement: Given a (possibly not closed) formula 
ip E LTL FO and valuation v. It holds that {(21, w) j_(2l, w, v, 0) |= tp} C C(A^ V ). We 
define for all i > the set p(i) ~ {tp E c\(ip) \ (21, w, v, i) \= tp} for some arbitrary 
but fixed formula (p E LTL FO and valuation v, and arbitrary but fixed (21, w), where 
(21, w, v, 0) \= ip. Let us now show that p = p(0)p(l) ... is a well-defined run in A VtV 
over (21, w): Firstly, from the construction of Q, it follows that for all i, p(i) E Q. 
Secondly, since (p E c\(ip) and (21, w, v, 0) \= p, p(0) always contains ip. Thirdly, 
p(i + 1) € 5^(p(i), (2li, Wi)) holds for all i. The latter is the case iff 

• for all XtP E cl{ip): Xtp E p{i) iff tp E p(i + 1), and 





(p,d)£Wi 
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• for all V>iU^>2 € cl(ip): ipiUfa € iff ^2 € p(i) or (V>i G p(l) and V'lU^ € 

The first condition can be shown as follows: 

X-0 e (21, w, t>, i) |= X^ (by definition of p(i)) 

^ (a, w, w, z + 1) f= V (by the semantics of LTL FO ) 
O^e p(i + 1) (by the definition of p(i + 1)). 

The second can be shown as follows: 

f/'iU^ G p(i) ^ (a, w, i>, i) |= ViU^ (by definition of p(i)) 
(%w,v,i) (= V 2 V(^i_AX(ViU^2)) 
<^=> (a, w, i>, i) |= ^2 or ((a, w, v, i) \= tpi and (a, w, v, i + 1) |= r/'illr/^) 
<^=> V2 € p(i) or (?/>i € p(l) and ipiVip2 <= p(« + 1)) (by definition of p). 

It remains to show that pis also accepting in A v . v . We proceed by induction on dcpth(<p). 
In what follows, let depth(<^) = 0, i.e., we are showing local acceptance only. By the 
definition of acceptance we must have that for all ipiUip2 S C K¥>)> there exist infinitely 
many i > 0, s.t. p(i) e i 7 ^ uv>2 > where F 1 p lU ^ 2 e J 7 . For suppose not, i.e., there are 
only finitely many such i, then there is a k > 0, s.t. for all j > k we have p(j) ^ F,^ uv> 2 
and therefore ipiUtp2 € p(j) and ^2 ^ p(i) by definition of F^u^. In particular, from 
ifiiUip2 € p(fc) we derive by construction of p(fc) that there must be some g > k, s.t. 
(a 9 , w 9 ) e C(tp2) and thus i/> 2 € p(fc) with g > fc. Contradiction. 

Let us now assume the statement holds for all formulae with depth strictly less than 
n and assume dcpth(<p) = n, where n > 0. We don't show local acceptance of p as it 
is virtually the same as in the base case, and instead go on to show that for all i > 0, 
there is a Y i7 s.t. Yi |= <Jj,(p(i), (a,, «;,)) and all A E Y% are accepting (a*, w l ). Let us 
define the following two sets: 

Y? = {A^ >vU{xi ^ d} I Va; : p. tp e p(i) and (p, d) e wj 

and 

^ 3 = M-i^u^d} I ^Va; :p. ip e /o(i), (p, d) e w„ 

and (a, ffi,uU{i4 d}, i) ^ V}- 

Set F 4 = U Yf, which by construction satisfies S^(p(i), (%,Wi)). We still need to 

show that every automaton in this set accepts (a\ w t ). Now for A^ :VU { x ^d} <= Yi we 
have either ^ = ip for some Va; : p. tp e p(i) and (p, d) e Wj, or v = ^ip for some 
^Va; : p.ip £ p(i) and (p, d) e tUj s.t. (a, u),uU{a; i-> d},z) ^= ip holds. In either case 
by definition of p(i) and semantics of LTL FO , it follows that (a, w, v U {x 1— > d}, i) |= 
ia Since the level of A^. vU { x ^d} is strictly less than n, we can apply the induction 

hypothesis and construct an accepting run for (21*, w l ), where (a, w, vU{x ^ d}, i) |= 
u, in A vM { x ^d} - The statement follows. □ 

Theorem 7. M v (f&, u) = T (a, u) e good(^) (resp. for _L and bad(y)). 

Proof. We prove the more general statement M VyV (^l, u) = T =>■ (a, u) € good((p, u), 
where <p possibly has some free variables and u is a valuation, by a nested induction over 

depth(<£). 
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• For the base case let dcpth(<p) = 0, where (p possibly has free variables, (21, u) 
be an arbitrary but fixed prefix and v a valuation. Suppose M lpiV (Ql, u) returns T 
after processing (21, u), but (21, u) good((^, v). By M3 and T10, the buffer of 
T-, v , v is empty, i.e., B-, VyV = 0. By T3 and because A-, VvV has an accepting run p 
over (21, u) with some suffix, B-, ViV contains (/?(|u|), [T]) after processing (21, u). 
Furthermore, because 5± yields T for any input iff dcpth(^ip) = 0, no run in the 
buffer is ever removed in T7. Contradiction. 

• Let depth(if ) > 0, (21, u) be an arbitrary but fixed prefix and v a valuation. Un- 
der the same assumptions as above, we will reach a contradiction showing that 
after processing (21, u), there is a sequence of obligations (p(|u|), [oblo, . . . , obl n }) 
in buffer B^ VtV , which corresponds to an accepting run p in A-, v , v over (21, u) 
with some suffix (21 , w'). That is, M^.„ cannot return T, after B-, v , v is empty, 
and B^ VtV containing the above mentioned sequence at the same time. By T3, 
B^ v _ v contains a sequence (p(|w|), [oblo, ■ ■ ■ , obl n ]) that was incrementally cre- 
ated processing (21, u) wrt. <5^, eventually with some obligations removed if they 
were detected to be met by the input. We now show that this sequence is never re- 
moved from the buffer in T7. Suppose the run has been removed, then there was an 
oblj = 6±(p(j), (Qlj,Uj)), that is 



with v' = v U {x i->- d} and v" = v U {x i-> d}, evaluated to _L after I steps, 
with < j < I < \u\. That is, at least one sub monitor corresponding to an automa- 
ton in the second conjunction has returned _L (or all submonitors corresponding 
to automata in a disjunction, for which the following argument would be similar). 
Wlog. let Va; : p.ip e p(j), (p, d) e Uj, and M^,y(Qlj, . . . , 21;, Uj, . . . , ui) = _L, 
i.e., M^,y is the submonitor corresponding to A^y. As level(ip) < level(ip), 
from the induction hypothesis follows that (21, , . . . , 21;, Uj, . . . , ui) <E bad(ip, v'), 
i.e., (2lj, . . . , 21(21 , Uj, . . . , uiw") \= ip with evaluation v' for any (21 , w"), and 
therefore (2lj, . . . , 2l;2l", Uj, . . . , Uiw") \— ~Nx : p.ip under valuation v. But as 
p over (2l2l',wu/) is an accepting run in A-, v , v and Va; : p.ip € p(j), it follows 

that (2i 3 $i',u j w') \= Vx : p.ip. Now, we choose (2l",w") to be (2tz+i, . . . ,2t N 2T, 
ui + i, . . . , u\ u \w'). Contradiction. 

As for our second statement above, it can be shown similar as before. □ 




23 



